41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
From 529f65b0782efbe1137b2504aa1f06504a97dd0a Mon Sep 17 00:00:00 2001
|
|
From: Michael Mann <mmann78@netscape.net>
|
|
Date: Sat, 21 Jun 2025 12:51:24 -0400
|
|
Subject: [PATCH] Schematron: Fix use after free
|
|
|
|
(CVE-2025-49794)
|
|
|
|
Fixes #931
|
|
---
|
|
schematron.c | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
Index: libxml2-2.11.6/schematron.c
|
|
===================================================================
|
|
--- libxml2-2.11.6.orig/schematron.c
|
|
+++ libxml2-2.11.6/schematron.c
|
|
@@ -1404,8 +1404,11 @@ xmlSchematronGetNode(xmlSchematronValidC
|
|
return(NULL);
|
|
|
|
if ((ret->type == XPATH_NODESET) &&
|
|
- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
|
|
+ (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) {
|
|
node = ret->nodesetval->nodeTab[0];
|
|
+ /* Clear the nodeTab so the node data isn't freed below */
|
|
+ ret->nodesetval->nodeTab[0] = NULL;
|
|
+ }
|
|
|
|
xmlXPathFreeObject(ret);
|
|
return(node);
|
|
@@ -1473,6 +1476,10 @@ xmlSchematronFormatReport(xmlSchematronV
|
|
ret = xmlStrcat(ret, BAD_CAST ":");
|
|
ret = xmlStrcat(ret, node->name);
|
|
}
|
|
+
|
|
+ if ((path != NULL) && (node != cur))
|
|
+ xmlXPathNodeSetFreeNs((xmlNsPtr)node);
|
|
+
|
|
} else if (IS_SCHEMATRON(child, "value-of")) {
|
|
xmlChar *select;
|
|
xmlXPathObjectPtr eval;
|